Update win_rare_service_installs.yml

same count() by ServiceFileName < 5 aded to make sigmac work with elastalert integration
2024-11-06 17:35:19 +00:00 · 2018-12-05 05:33:56 +03:00 · 2018-12-05 05:33:56 +03:00 · c8990962d2
commit c8990962d2
parent f0b23af10d
1 changed files with 2 additions and 2 deletions
--- a/rules/windows/builtin/win_rare_service_installs.yml
+++ b/rules/windows/builtin/win_rare_service_installs.yml
@ -13,8 +13,8 @@ detection:
    selection:
        EventID: 7045
    timeframe: 7d
-    condition: selection | count(ServiceFileName) < 5 
+    condition: selection | count() by ServiceFileName < 5 
 falsepositives: 
    - Software installation
    - Software updates
-level: low
+level: low